Using a password manager

[mc2fool]

As mentioned, I use Firefox's built-in PW Manager. Others have mentioned KeePass. But here is thread from the Firefox Support Forum about whether KeePass is any better.
What is more secure to save passwords - Firefox Password manager or Keepass application: https://support.mozilla.org/en-US/questions/1140297
Answer, No.

How does Firefox's built-in manager handle the "enter characters 2, 6 & 13 of your password" type security fields?

How about the "memorable questions" ones where you've previously told it e.g. your favourite film, your first car and where you were born and it randomly asks you one of the three? Or characters 2, 6 & 13 from a random one of the three?

Does Firefox generate passwords?

Can you organise the entries into folders and sub-folders?

Can you add non-website related entries? E.g. your email servers' SMTP/POP3/IMAP details and passwords.

Can you attach other information to the entries? Random notes/whatever you want?

[JonE]

With Keepass I can take the file, load it to a location of my choice and use any browser I like ...

Users of multiple Windows machines (and some others) may appreciate the extra attributes of a portable app such as the versions available from reputable sources such as portableapps.com
KeePass Classic (i.e. v1.nn) https://portableapps.com/apps/utilities ... s_portable
KeePass Pro (i.e. v2.nn) https://portableapps.com/apps/utilities ... o-portable
KeePassXC (actively-developed community fork of KeePassX) https://portableapps.com/apps/utilities ... c-portable

As the likelihood of encountering XP machines (in particular, those without .NET added) in the wild is now tending towards zero (and who would open KeePass on someone else's XP machine anyway?), I see little or no point in sticking with v1 database format. Later versions can import (but not export) v1 database.

As a separate aspect, I note that XC is said to permit the use of multiple browsers simultaneously (if browser integration is required).

Cheers!

[Nocton]

How does Firefox's built-in manager handle the "enter characters 2, 6 & 13 of your password" type security fields?
How about the "memorable questions" ones where you've previously told it e.g. your favourite film, your first car and where you were born and it randomly asks you one of the three? Or characters 2, 6 & 13 from a random one of the three?
Does Firefox generate passwords?
Can you organise the entries into folders and sub-folders?
Can you add non-website related entries? E.g. your email servers' SMTP/POP3/IMAP details and passwords.
Can you attach other information to the entries? Random notes/whatever you want?

The answer to all those is no, FF PW Manager does not do those things. It is what it says on the tin - a Password Manager. None of those things are required for normal log-ins, e.g. LNER trains, shopping sites, forums like this. Literally hundreds of places ask you to log-in with a simple password. And I don't want to use another browser. The sites that do ask those things - finance sites, mostly - I would not use a Password Manager that can be accessed via the web or passed around, because not secure enough for me. That's where I use First Direct's Money Manager for banking, savings and credit cards. For stockbroker, ISA accounts, etc. my passwords are securely kept in an encrypted folder, should I forget them, but easily rememberable so I don't need to look them up.

Each to his own preferences, though, and this thread has certainly explored the options.

[HowardRoark]

It seems the only way one can remain secure is to store sensitive stuff like passwords on a device never connected to the internet?

I usually find a well-hidden notebook at home does the job!

Am I missing something? In my notebook I might use pictures and/or key words to identify for which website the password is for and then simply write out the password. Yes, I might lose the lot in the event of fire or burglary but a burglar would be a pretty odd one to find the notebook . . . and I would definitely know if there had been a burglary or fire which would prompt me to change all my passwords!

Fire or burglary seems a more remote possibility than anything online being breached, it seems to me! Particularly as nowadays the method seems to be to lie in wait for a long time, gathering data, before launching any data attack.

So I'm wondering what advantage there is using Keepass or whatever? I can see one once I'm reaching elderly status and memory starts to play tricks . . . but otherwise . . ?

[mc2fool]

The answer to all those is no, FF PW Manager does not do those things. It is what it says on the tin - a Password Manager.

A basic bare bones one, and only for the lowest common denominator cases -- indeed, as evidenced by the fact that you need a couple of additional solutions to cover the gamut of your credentials management needs.

None of those things are required for normal log-ins, e.g. LNER trains, shopping sites, forums like this. Literally hundreds of places ask you to log-in with a simple password.

Indeed, of the 300+ entries in my password database the vast majority, at least 90%, maybe more, are just username/email plus full-password. But while those are the vast majority of entries they are the great minority of logins, as they are either of infrequent use or -- as with forums like this -- the sites remember you and only require you to log in once or once in a blue moon. The vast majority of my logins have more complex credentials than the just plain and mundane username plus full-password.

I would not use a Password Manager that can be accessed via the web or passed around, because not secure enough for me. That's where I use First Direct's Money Manager for banking, savings and credit cards. For stockbroker, ISA accounts, etc. my passwords are securely kept in an encrypted folder, should I forget them, but easily rememberable so I don't need to look them up.

Keepass isn't web based, it's local. As for "passed around", if you have multiple devices you (somehow or another) need to get your passwords etc to them, and with Keepass that's just an encrypted file and is no different from passing around your encrypted folder to your other devices.

I'm not a First Direct customer so I don't know about their Money Manager ... is this a system where you give it the login details of all of your other bank accounts, etc, and it then logs into them for you? If so, questions to ask are, where and how does it store that critical info? Is it open source? How do you use it (with your info) on another device?

And as for your "easily rememberable" passwords, either you have an amazing memory, or you have very few passwords to remember (or you use the same one in lots of places). My only easily memorable (for me) password is my master password.

Each to his own preferences, though, and this thread has certainly explored the options.

Indeed, and if you're happy enough with your solutions for your needs, then fine. However, your conclusion earlier isn't correct. You said (my bolding):

As mentioned, I use Firefox's built-in PW Manager. Others have mentioned KeePass. But here is thread from the Firefox Support Forum about whether KeePass is any better.
What is more secure to save passwords - Firefox Password manager or Keepass application: https://support.mozilla.org/en-US/questions/1140297
Answer, No.

While, of course, password security is primary, as that same forum item points out, a decent password manager does more than just that bare minimum, and although Keepass's and Firefox's password security may be equal, that doesn't mean that Keepass isn't better

[mc2fool]

I usually find a well-hidden notebook at home does the job!
:
So I'm wondering what advantage there is using Keepass or whatever?

Well, for one you don't have to dig out and leaf through a well-hidden notebook whenever you want to log in to a site, and for another you don't have to keep a well-concealed notebook (which is likely to be bigger than your smart phone too) about your person when you're out and about

[Itsallaguess]

I usually find a well-hidden notebook at home does the job!

So I'm wondering what advantage there is using Keepass or whatever?

Well, for one you don't have to dig out and leaf through a well-hidden notebook whenever you want to log in to a site, and for another you don't have to keep a well-concealed notebook (which is likely to be bigger than your smart phone too) about your person when you're out and about.

Agreed - I find one of the most useful Keepass features is it's lightening-quick search-facility, especially for anyone like me with many sub-folders for account categories, and many, many account entries.

Cheers,

Itsallaguess

[kiloran]

I usually find a well-hidden notebook at home does the job!
:
So I'm wondering what advantage there is using Keepass or whatever?

Well, for one you don't have to dig out and leaf through a well-hidden notebook whenever you want to log in to a site, and for another you don't have to keep a well-concealed notebook (which is likely to be bigger than your smart phone too) about your person when you're out and about

For me, the main advantages of Keepass are

1. It works on Windows, Linux and Android
2. It is easy to back up
3. I can also use it to store critical files as part of the encrypted data
4. I can export all the data to CSV/XML/TXT and save it (in another encrypted form) elsewhere, so that if Keepass suddenly ceases to exist, I can still access my data, and probably import to a different password manager

--kiloran

[taylor20]

A couple of observations, that have yet to be made:

I know the security at most sites (including) banks is p*ss poor (One of the sites that has 'sold' my email address was Halifax), but you generally can not brute force your password at these sites, 3 strikes and your out. However a file based password manager will feel the full force of whatever compute an attacker may have, so the strength of this password is paramount!

One massive security hole that I (had until a few minutes ago!) is probably on my oldest account, my email login, if you have not enabled 2 factor on all your sensitive accounts this is in affect your master password. Its also one I use every day, and most likely to use at an internet café.

[vrdiver]

A couple of observations, that have yet to be made:

I know the security at most sites (including) banks is p*ss poor (One of the sites that has 'sold' my email address was Halifax), but you generally can not brute force your password at these sites, 3 strikes and your out. However a file based password manager will feel the full force of whatever compute an attacker may have, so the strength of this password is paramount!

One massive security hole that I (had until a few minutes ago!) is probably on my oldest account, my email login, if you have not enabled 2 factor on all your sensitive accounts this is in affect your master password. Its also one I use every day, and most likely to use at an internet café.

Agreed. Consider the scenario whereby somebody observes you use your phone (perhaps noting a couple of characters of your login and the number of keys pressed). Your phone, once unlocked gives access to your email account (quite often without need to log in) and has the two-factor authorisation code generator, with a handy list of which accounts you have.

Phone theft moves from "annoying and inconvenient" to "catastrophic" very quickly

Question is, how does the average person avoid this pitfall?

VRD

[Infrasonic]

Question is, how does the average person avoid this pitfall?

USB U2F keys with NFC are 'mobile friendly', although there's still the the learning curve for the average user to overcome, and if you lose (or get stolen) both the phone and the key then you're back to square one security wise.
https://www.yubico.com/why-yubico/for-i ... s/keepass/

I'm nearly ready to try out U2F keys, they're at the stage where they have broad enough scope and work with enough apps to make a purchase justifiable.

[superFoolish]

I use KeePass on my Windows PCs and on my iPhone. I sync the KeePass file 'somewhere on the Internet'. It's not on a service such a Google Drive or OneDrive, or Dropbox, etc; it isn't even a service that one would consider to be cloud storage or email, and it has a file name that no one would identify as anything to do with passwords or security. It also has a very long password on it, so I am happy that it is secure enough.

I don't think a day goes by that I don't use KeePass, either on Windows or iPhone, and I find it very convenient.

In addition to the every-day stuff, I have a couple of financial accounts stored in it, about which I am totally paranoid, so in addition to using a strong password, the account details are obfuscated so, even if someone found the file and cracked the password, they would be highly unlikely to realise that my super-secret information even pertained to financial accounts. This would not be practical for every-day banking, but for accessing such accounts once a month, I am happy with the solution.

There is not a chance that I would use an on-line password-storage service; too risky in my view.

My favourite trick for creating long passwords is to pick a sentence from a song, or a poem or a book (but none of your favourites or popular ones!), and then take the initial letters, switching some of them for digits and symbols, and using symbols for separators. I have my own method for substitution, e.g. for the letter 'a' you could use an '@' (but maybe not so obvious).

Example:

I do not love you except because I love you;
I go from loving to not loving you

could become:

#1dnluxbIlu$1gfltnlu^

The above looks almost impossible to type, but I have passwords like this that I can type without even thinking about them.

[AF62]

My favourite trick for creating long passwords is to pick a sentence from a song, or a poem or a book (but none of your favourites or popular ones!), and then take the initial letters, switching some of them for digits and symbols, and using symbols for separators.

These days I just let Chrome suggest a random strong password and then let Google store it. I have no idea what the passwords are for most of the sites I access.

[Lanark]

I found out about this ages ago but never got around to using it.

https://ss64.com/pass/pass.html

I like the simplicity in that you don't have to have an app that works here there and everywhere, just a browser.

Whilst I am aware that a keylogger gathering your master password could leave all your passwords bare, I would still not use this for financials.

Is this a risky approach?

Meatyfool..

Theres a discussion of that here:
https://security.stackexchange.com/ques ... d-approach

A key consideration is making sure you choose a really good/strong master password.

[Lanark]

One massive security hole that I (had until a few minutes ago!) is probably on my oldest account, my email login, if you have not enabled 2 factor on all your sensitive accounts this is in affect your master password. Its also one I use every day, and most likely to use at an internet café.

The thing with Two Factor is that it only as secure as your phone company - heres a story of someoe who found out the hard way that mobile network providers don't really care very much about security:

https://www.theverge.com/2017/7/10/1594 ... urity-mess

[superFoolish]

My favourite trick for creating long passwords is to pick a sentence from a song, or a poem or a book (but none of your favourites or popular ones!), and then take the initial letters, switching some of them for digits and symbols, and using symbols for separators.

These days I just let Chrome suggest a random strong password and then let Google store it. I have no idea what the passwords are for most of the sites I access.

To clarify, I only use 'hand-made' passwords when I need to be able to remember them and enter them manually. For example, I need to know my KeePass password, and there are a couple of other passwords I need to be able to recall and enter manually. These are not stored anywhere electronically.

I only use my web-browser's password storage features for the most trivial of sites that I have to log into (i.e. no personal identifying or financial information). On that note, I have a separate Gmail address for signing up to such sites; they can't even be connected to me by the email address that I use.

All my other passwords are automatically-generated, very strong passwords, stored in KeePass.

[superFoolish]

A couple of observations, that have yet to be made:

...Consider the scenario whereby somebody observes you use your phone (perhaps noting a couple of characters of your login and the number of keys pressed). Your phone, once unlocked gives access to your email account (quite often without need to log in) and has the two-factor authorisation code generator, with a handy list of which accounts you have.

Phone theft moves from "annoying and inconvenient" to "catastrophic" very quickly

Question is, how does the average person avoid this pitfall?

VRD

Your scenario suggests that important account passwords are being stored on a phone, protected by only the phone's password / PIN.

I use the KeePass app on my phone, and I require that I have to manually enter my long, strong, KeePass password to access my other passwords (other than trivial logins, which are stored in my web browser account).

I do access my every-day bank account and credit card using Apple's fingerprint technology, because I consider that to be practical and secure enough for its purpose. Whilst I can (and do) access my more important financial accounts from my phone, I have to log into KeePass to get the login details and, as previously mentioned, for my most important accounts, I have obfuscated the account login and password in KeePass.

With regards to my phone:

1) To access my every-day bank account & credit card, someone would need my fingerprint (the PIN isn't enough).
2) To access my more important accounts, someone would need my fingerprint (or phone PIN) and KeePass password
3) To access my most important accounts, someone would need my fingerprint (or phone PIN) and KeePass password, and they would need to be able to locate and identify the obfuscated account name and then realise that the password was also obfuscated.

Whilst some of the above may appear to make it very complex to access my more / most important accounts, in practice, it takes about me about 60 seconds access any of my more important accounts, and about 90 seconds for me to access my most important accounts, and I am more than happy with that inconvenience.

I have no doubts that my security is not perfect, and if someone was targeting me specifically (as opposed to randomly), they could probably get into some of my accounts, but for random attacks, I think they'd find it easier to move on to an easier target.

[superFoolish]

Your scenario suggests that important account passwords are being stored on a phone, protected by only the phone's password / PIN.

Replying to myself... I realise that I did not actually address the point you were making regarding 2FA!

Thinking of possible solutions, the best I can come up with is to obfuscate the account details in the authenticator app, i.e. do not display the email address (or display a fake one); this appears to be possible in the Google authenticator app, but not in Microsoft's app, where it appears that the email address is inextricably linked to the auth details. Unfortunately, even in the Google app, it doesn't seem possible to change the name of the type of account so, for example, anyone who accesses your phone would know that you had accounts with various providers, which is a starting point for attack.

Perhaps these authenticator apps should have an addition layer of security; at minimum a PIN.

I have an additional level of confidence inasmuch as I use fingerprint for access for my phone, so no one would ever see me enter my PIN. I am aware that fingerprint security is not infallible, but it is still very secure.

For most of us who adhere to basic security procedures, I think we are safe enough from casual or random hacking attempts, but probably far less-so from targeted attacks; by 'targeted', I mean that someone has decided that they need access to my accounts, and they are going to keep trying for an extended period.

Many people seem to be extraordinarily careless with their phones; every day, I see people leaving their phones on their desks in the office, in their back pockets, open bags, etc. Even momentarily placing a phone on a shop counter is foolish in my opinion. They're the ones who are most likely to have their phones snatched.

Bear in mind that if you are worried about someone accessing your 2FA info, then you only need to worry about targeted attacks; most phones that stolen are either reset and resold or used for making free phone calls until they are blocked. If you are worried about targeted attacks on an account that has 2FA, then a) Be very careful with your phone, and b) Ensure that you phone allows a 6 digit PIN (and only use it when no one can see you entering it!)

[Nocton]

If you do a web search for 'fingerprint access for phone how secure' I think you will see that it is probably no more secure than any other method.

[Infrasonic]

If you do a web search for 'fingerprint access for phone how secure' I think you will see that it is probably no more secure than any other method.

Likewise the facial recognition that is currently being used, quite easy to bypass.